Using $cookie For Sessions

[foxy]

Hey,

I'm currently reading around the topic of sessions, and I've come to the conclusion that the PHP sessions handling is too complex for what I need. I don't need to store session variables because my databases already handle all of that. I just need a session check that spits out a UserID so that I know who is logged on, the rest is accounted for.

I'd thought of doing this with a MySQL table of SessionID|UserID and storing the SessionID in a cookie on logon and checking that cookie in later scripts. The book I'm reading has an example of a MySQL-based solution that does something weird involving writing custom session functions and inserting them behind the standard PHP session handling functions. Thing is that this seems overcomplicated. I don't need anything except a UserID, and to be honest I'd rather avoid stuff like this, as it seems to make something very simple in concept into something arcane and hard to figure out. I'm not a big fan of overcomplicating something for the sake of being a smartass.

So, is my custom method OK do you think? I would be just shoving a SessionID into a cookie, and later retrieving it from $_COOKIE and comparing it to the SessionID|UserID to check for a login. Would there be any security risks arising from it? (I presume that transplanting cookies is a risk with PHP sessions anyway?) Is there a 'good practice' reason why I shouldn't do this?

Thanks.

[wildteen88]

I would not advise you to stored session data in a cookie, as cookies are stored in the users tmp folder which anyone that uses the computer can access and read all cookie data. Where as a session are stored on the server, where the client can not read.

You dont have to use what the book says for session. You can use sessions with its defualt behaviou which is saving the session data to a file, this already setup:
[code]<?php
session_start();

$_SESSION['userID'] = USER_ID_HERE;

?>[/code]
Then whenever you need to access the userID session make sure you have session_start(); at the top your script and use $_SESION['userID'] to access the userID

Some more advanced PHP programmers prefer to write thier own session handler, which is what your book is teaching you/telling you. However PHPs defualt session behaviour is fine.

If you want to use cookies then you can use the [a href=\"http://www.php.net/setcookie\" target=\"_blank\"]setcookie function[/a]

[foxy]

Erm, PHP session handler has to store something on the client too, otherwise there is no state... if it doesn't put that in a cookie, where does it put it? How is that more secure than dumping a generic 'ID' in a cookie? It's still theoretically possible to transplant it.

[wildteen88]

Session sets a cookie, which only stores the session id. Or ifcookies are disabled it'll show the session id in the url, The session id is autormatically generated and is unique. The session data itself is stored in locatation specified in the php.ini file

Also sessions are secure becuase in order for a malicous hacker to get the contents of the session, they have to be on the same computer to read the cookie which stores the session id. Plus sessions expire when the user closes his browser window or when the session expires. The session expirary time set in the php.ini.

The only way to hack into someones session is by session fixation, explained above. [a href=\"http://www.oreilly.com/catalog/phpsec/\" target=\"_blank\"]this book[/a] explains in detail about session fixation.

[foxy]

[!--quoteo--][div class=\'quotetop\']QUOTE[/div][div class=\'quotemain\'][!--quotec--]Session sets a cookie, which only stores the session id[/quote]

Which is exactly what I do with my custom method. So what is the advantage of using PHP sessions over my method?

Also, I question why you have just told me at length about the issue of an attacker getting the cookie off the same computer, [b]since I made clear in my post that I was 100% aware of this.[/b]

So, can I get an actual answer to the above question? I just want to make sure that there is no security or implementation issue here that I have missed, I am not looking for basic info about sessions. As far as I can see, my method is just as secure as PHP sessions. Is this correct or not? If not, why not?

[freakus_maximus]

[!--quoteo--][div class=\'quotetop\']QUOTE[/div][div class=\'quotemain\'][!--quotec--]I'm not a big fan of overcomplicating something for the sake of being a smartass.[/quote]

Your method does this right of the bat becuase it is already done for you without the need for MySQL as wildteen stated:

[!--quoteo--][div class=\'quotetop\']QUOTE[/div][div class=\'quotemain\'][!--quotec--]Session sets a cookie, which only stores the session id. Or ifcookies are disabled it'll show the session id in the url, The session id is autormatically generated and is unique. The session data itself is stored in locatation specified in the php.ini file[/quote]

With this code as an example:

[code]<?php
session_start();

$_SESSION['userID'] = USER_ID_HERE;

?>[/code]

There's nothing wrong with your method, cannot really say until we could see the code itself, but your duplicating and complicating what is already available to you and gaining nothing from it.

[foxy]

Re being a smartass, I was referring to this process of writing session handling functions and inserting them behind the exisiting PHP ones. Why go to all that trouble to roll-your-own MySQL based solution only to hide it behind the PHP functions? That's just more hidden layers of depth. If I came along that code and wondered why sessions were encountering problems, it'd take me longer to figure out why because it would look as if the standard PHP sessions were doing it, not custom code.

I wanted a MySQL based solution for a reason, so please don't compare apples (file-based) and oranges (MySQL based).

Is anyone actually going to answer the very simple question I asked?